Annual Breach Report Finds Near-Record Number of Compromises…but Details Lacking
By Roy Urrico
The 2022 Annual Data Breach Report from the Identity Theft Resource Center’s (ITRC) revealed the number of data compromises in 2022 (1,802) was only 60 events short of the previous all-time high set in 2021; and victimized some 422.1 million individuals. However, the statistics represent only estimates resulting from data breach notices increasingly issued with incomplete or no details.
The El Cajon, Calif.-based ITRC, a national nonprofit organization, established to support victims of identity crime, revealed in its 17th annual study that 2022’s first half saw fewer compromises reported due, in part, to Russian-based cybercriminals being distracted by two key variables: the war in Ukraine and cryptocurrency market volatility. However, data compromises steadily increased in the second half of 2022.
The number of victims of identity crime impacted increased by almost 41.5% in 2022 from 2021. For 11 of the 12 months in 2022, the estimated number of data-compromised victims trended downward for the sixth consecutive year. However, that trend reversed with the disclosure of the availability of personally identifiable information (PII) of 221 million Twitter users in illegal identity marketplaces.
The number of compromises increased in six out of the 12 industries tracked by ITRC in 2022, but the number of estimated victims dropped in seven of the dozen areas. The largest growth in compromises occurred in the healthcare, manufacturing and utilities, and professional services industries. The largest growth, in terms of estimated victims, was in the financial services, hospitality, technology, and transportation industries (even though the number of compromises dropped in each group except technology).
Lack of Breach Information
“While we did not set a record for the number of data compromises in the U.S. last year, we came close,” said Eva Velasquez, president and CEO of the ITRC. “These compromises impacted at least 422 million people. These numbers are only estimates because data breach notices are increasingly issued with less information. This has resulted in less reliable data that impairs consumers, businesses and government entities from making informed decisions about the risk of a data compromise and the actions to take if impacted by one. People are largely unable to protect themselves from the harmful effects of data compromises, fueling an epidemic – a ‘scamdemic’ of identity fraud committed with compromised or stolen information.”
In 2022, “not specified” became the largest vector of cyberattacks leading to data breaches ahead of phishing and ransomware. Only 34% percent of data breach notices included victim and attack vector details.
Velasquez, in her CEO letter introducing the report, noted, “Each year there is some new superlative that gets attached to a statistic about cyberattacks and data compromises. Many times, it describes a number as the ‘most’ or ‘highest’ or ‘biggest’ of its kind.” She pointed out in 2022 it was the number 1,862 representing the largest number of publicly reported data compromises in a single year in the United States.
However, Velasquez warned approximately two-thirds of all public breach notices lacked the information individuals and businesses need to determine the risk to their identity information after a compromise.
The ITRC found the number of breach notices with detailed attack and victim information dropped by more than 50% since 2019. Velasquez added, “The trend away from transparency also points out the overall inadequacy of the current patchwork quilt of state data breach notification laws, many of which now date back to 2005 when virtually all breaches involved paper records, lost or stolen laptops, or data tapes lost in transit.”
Velasquez compared the U.S. average of about seven breach notices that occurred each business day in 2022 to the 356 breach notices issued daily in the European Union (EU) during 2021 (the most recent year for which EU data is available). In the EU, as in Oregon, data protection/law enforcement officials and the compromised organization determine the risk to individuals or businesses, and are required to fully inform the impacted parties.
“Common sense tells us that data breaches are underreported in the United States. The 1,802 reported here are a minimum estimate. The trends related to publicly reported data breaches in 2022 reinforce the conclusion that the data breach environment is worse than we know and can prove with quantifiable data,” said Velasquez. “The result is individuals are largely unable to protect themselves from the harmful effects of data compromises, which are fueling an epidemic – a scamdemic – of identity fraud committed with stolen or compromised information.”
Supply Chain Gangs Exceed Malware
Cyberattacks remain the primary source of data breaches, but the number of data breaches resulting from supply chain attacks exceeded compromises linked to malware in 2022. Malware is often viewed as the core of most cyberattacks.
However, in 2022, supply chain attacks surpassed the number of malware-based attacks by nearly 40%. Supply chain attacks target organizations by focusing on weaker links. The latest report counted more than 10 million people impacted by supply chain attacks targeting 1,743 entities. By comparison, 70 malware-based cyberattacks affected 3 million people.
There was some good news ITRC’s report: The number of data breaches and exposures linked to unprotected cloud databases dropped 75% in 2022 compared to the previous high point in 2020. Also, physical attacks continued a multi-year downward trend, dropping to 46 out of 1,802 compromises.
High-Profile Breaches Exhibit Underreporting Trends
ITRC’s report also acknowledged that while every data breach has unique elements, there are common threads that illustrate the underreporting trends during 2022. The report listed and capsulized the following data breaches that reflect these tendencies:
Twitter. In December 2022, “In a series of breaches announced by threat actors and cybersecurity researchers – but not Twitter – more than 400 million accounts attached to an estimated 221 million users were offered for sale by cybercriminals in an illicit identity marketplace.” Identity thieves supposedly scraped the data from Twitter by taking advantage of a software flaw reportedly “fixed” earlier in 2022 but still vulnerable to exploitation.
AT&T. In August 2022, AT&T cybersecurity researchers found a file on a popular dark website containing 22.8 million unique email addresses and 23 million unique social security numbers believed related to AT&T customers. “The telecom company did not issue a data breach notice to consumers and denied the information was stolen from their system.” AT&T acknowledged the stolen data “may be tied to a previous data incident at another company,” but did not elaborate.
LastPass. Cybercriminals gained access to source code and development information stored by password management firm LastPass, the company announced in August 2022. The company also announced at the time the thieves had not accessed customer information. In December, the company admitted that cybercriminals indeed gained access to customer data using the information stolen in August. “LastPass has not acknowledged how many accounts or individuals were compromised in the attack.”
Five Guys Enterprises, LLC. Despite learning of a data breach of an employee application system in September 2022, fast-food chain Five Guys waited to alert government officials and impacted consumers in a letter dated December 29, 2022. The company did not disclose the number of individuals impacted, the specific data exposed, information about the attack, or corrective action taken to prevent a repeat occurrence.
Professional Finance Company, Inc. (PFC) In February 2022 ransomware targeted accounts receivable management company PFC, which supports hundreds of healthcare organizations, as part of a supply chain attack. The attack compromised the information of more than 600 client firms. PFC did not initially provide a victim count, but later filed a required notice with the U.S. Department of Health and Human Services disclosing the potential impact to nearly two million individuals.
Illuminate Education. ITRC noted, “In January 2022, the largest breach of student information in the nation’s history occurred when threat actors gained access to the data of millions of students in a single assault – a classic supply chain attack.” Illuminate, which provides popular attendance and grading platforms used by U.S. school systems, did not alert school officials until March 2022 of the event. It also did not reveal the number of impacted students, instead leaving the notification task to individual school districts. While the total victims remain unreported; the estimated victim count as of January 2023 includes more than 600 entities and over 2.1 million individuals. Illuminate was acquired by another education tech company, Renaissance, in August 2022.
Not All Bad News
The ITRC Annual Data Breach Report did cite some positive trends:
· Maryland and Pennsylvania updated their data breach laws in the past year. Maryland now requires organizations to report the details surrounding a data breach, including the number of victims, within 10 days of learning of a breach (down from 45 days). Pennsylvania also expanded the definition of personally identifiable information to include health related information as well as usernames and email credentials.
· The number of data breaches and exposures linked to unprotected cloud databases dropped 75% in 2022 compared to 2020. In 2020, 107 cloud databases with no security exposed the PII of 155 million individuals; in 2022, only 27 unsecured cloud databases caused a data breach or exposure (impacting roughly 7 million people).
· Physical attacks continued a multi-year downward trend, dropping to 46 out of 1,802 compromises. Nearly half were related to stolen devices. System and human error-based data compromises also dropped in 2022 with most events related to PII exposed in emails and other correspondence.